Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Sunday, May 13, 2012

The Laws of Identity - Kim Cameron & His Identity Blog

A collegue recently pointed me to Kim Cameron, the former Chief Architect of Identity and Access at Microsoft, as a source of information about federated digital identity and claims. Despite my readings into claims based identities and authorization over the last 2 years, I'll admit that I had not heard of him. The more I read the more I found that his contributions were fundamental to the development of digital identities and related technologies. As a fellow Canadian and Blues Brothers fan, I decided to write a short article discussing some of his contributions and point you to his excellent blog (which he still maintains).

Kim Cameron started at Microsoft in 1999, and he left in May 2011. It turns out that during his time there he led all things to do with identity. He is credited with contributing greatly to the development and popularization of Claims as an intrisic part of digital identities.

One of his most significant contributions has been The 7 Laws of Identity. Published in January 2006, I find it amazing how relevent they are today in 2012 - even more so today in fact. These 7 laws helped to codify in real-world terms what we in the industry should build in order to enable robust use digital identities for authentication, authorization and federation. I'm reprinting them here with the sole purpose of helping to spread the word, in the hopes that this helps educate people in the industry about how identities should be managed in the digital world.

You can find Kim's full description of the 7 Laws here: Kim Cameron's 7 Laws of Identity. The following are the 7 Laws in point form, reprinted as Kim wrote them, with a little annecdote from me.

1. User Control and Consent - Digital identity systems must only reveal information identifying a user with the user’s consent.

[My Comment] Absolutely - if a system is going to reveal details about me to another system (or to other users or other developers) I want to ensure that its only with my consent. For me to use an identity system I need to trust it, and in order to trust it the system must put me in control of my identity. In order for me to feel that the system is maintaining the privacy of my personal information, I need to be in control of what information is shared, and with whom. Facebook and Facebook Apps are a great example - when a user accepts use of a Facebook App, they are prompted with a message warning them that if they proceed they are permitting that app to have access to their user profile information. Although I personally find that this message does not go far enough in warning the user, it is a step in the right direction. Facebook has gone further in recent years towards enabling privacy of user data by allowing users to turn off access to certain portions of the user profile in their privacy settings.

Although many in the identity management industry might say that my Facebook profile is not my digital identity but rather a version of my digital identity, for many people out there (especially many young people) it is in fact their main digital identity.

2. Limited Disclosure for Limited Use - The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.

[My Comment] This law can also be described as "need to know" - in other words, only release information to systems which have a well defined need to know; as well, only release the specific attributes about me which a system has a need to know. For example, to purchase something online a vendor needs to know my credit card number, but they do not need to know my social insurance number (social security number in the US), but both may be part of my digital identity. The full text of this law also includes the notion that systems should only retain personal information on a need to know basis.

3. The Law of Fewest Parties - Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.

[My Comment] I personally find this law similar to #1 and #2, but there is an important nuance - for me, this law is more about if a system is authenticating and that system is to receive information about my identity (so attributes about me) then that system should be required to present a policy as to why the information is needed and how it will be used... then the identity management system managing my attributes can make decisions about how much personal information is disclosed to this system that's requesting information about me. This to me is really important, in terms of helping keep my personal information private - the importance of this is becoming more and more apparent to the average person as identity theft grows. Its also something that Microsoft technologies do not do well yet.

4. Directed Identity - A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

[My Comment] The way I read this one is that we can each have multiple versions of our Digital Identity - some that we make public (like my Twitter account) and some that we keep private (like my corporate domain account). A public representation of my digital identity is said to be Omnidirectional because I can and wish to transmit it to multiple public systems. A private representation of my digital identity however is said to be Unidirectional because I want to transmit it in only one direction - for my corporate domain account at work, I only want my work place's servers to have access to it. Today, this is dealt with by my having multiple accounts that I maintain. However, if we are ever to have a unified way of managing our digital identities, where I have 1 digitial identity and multiple representations of it to use for different purposes, then this concept becomes very important.

5. Pluralism of Operators and Technologies - A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.

[My Comment] We will always need multiple ways to present an identity. The example used in Kim's 7 laws talks about having a government identity for when I file my taxes, and having a different identity for when I log into my employer's corporate network, and that makes sense. This law, I believe, speaks to having multiple operators which manage our identities being able to interoperate in an open and standards-based way in order to allow us as individuals to control who and what has access to which parts of our digital identities. This is presented as a more viable alternative to having 1 single operator that manages our identies and provides access to them for all purposes.

6. Human Integration - A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.

[My Comment] Its very worth reading the full text about this law, in Kim's document about these laws. This law comes down to us in the industry doing a better job of bringing the end user into our identity management systems in a more integral way... which I believe would be a very good thing to help fight phishing attacks and other attempts to steal our identities.

7. Consistent Experience Across Contexts - A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.

[My Comment] In this law, Kim talks about various examples of identities that individuals may have, some public (for web browsing, for community interactions, for corporate collaboration) and some private (for personal web-based relationships, for purchasing, for government related activities). He talks about the need to turn our digital identities into "things" that computers users can see and interact with - each of these digital identities revealing different aspects or attributes about us. Different online services we interact with will (referred to as Relaying Parties) require us to reveal different information about ourselves - some require simply an email address, while others require a credit card number. End users will need to understand the different options available to them and thereby select the best options for the given service or the given context. Again, I believe this law is more important now that ever, as we conduct more and more of our activities online and they require important and detailed information about us.
Overall, these 7 laws provide a framework for us in the identity, access and security space to use when building our online services which intrinsicaly require digital identities.

In order to read Kim's writings directly, please see his web site here: Identity Blog.

Various Microsoft technologies have made some great strides in recent years towards adopting or enabling some of these concepts. In particular, Microsoft SharePoint 2010, with its support for Claims-Based-Authentication and Claims-Based-Authorization has gone a long way at starting people down the road of adopting claims and integrating digital identies into their business process in a more detailed and fundamental way. As well, Microsoft Active Directory Federation Services 2.0 is a key enabler of claims in the Microsoft stack.
There is a great interview with Gartner and Kim from 2007 found here where he discusses Claims and the 7 Laws of Identity, and its again amazing how such much of this is more relevant today when you think about how you want your digital identity managed and accessible: http://www.gartner.com/research/fellows/asset_187313_1176.jsp.

Kim's 7 Laws are very relevant today with the use of digital identities growing more and more, for both consumer use and business purposes. Technology is getting there, in terms of providing appropriate support for privacy and security related to our digital identities, albeit rather slowly. We've seen some great progress in recent years with the popularization of SAML and OAUTH, and their use by leading software and online service providers. I'm hopeful that we'll continue to see a continued adoption of Kim's 7 laws in the coming years, as we see ever increasing use of digital identities in our online world.

No comments:

Post a Comment

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.